hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alejandro Abdelnur (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-1253) Changes to LinuxContainerExecutor to use cgroups in unsecure mode
Date Tue, 01 Oct 2013 17:48:26 GMT

    [ https://issues.apache.org/jira/browse/YARN-1253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13783161#comment-13783161
] 

Alejandro Abdelnur commented on YARN-1253:
------------------------------------------

If we say that today people should use LCE for cgroups in unsecure mode, then this JIRA is
a bug. If we say that LCE is not supported in unsecure mode, then this is an improvement to
enable such. IMO, this JIRA is a bug, but I'm OK either way.

Correct, in unsecure mode, any user can delete all data in HDFS. If we look at what any user
can do in the node local filesystem:

* Using DCE, it can access/modify all data owned by yarn user.
* Using LCE, it can access/modify all data owned by any non-system user.

The second scenario is particularly dangerous because any user could get access to private
ssh keys of other users available in the nodes (this would typically be a cluster admin user)
or in the case of automatic NFS mounts available to cluster (which I've seen in multiple setups)
any user could gain access to data of other users outside of the cluster.

This JIRA is proposing adding LCE to run container processes a fixed local run-as-user, it
could be 'nobody' by default. 

By running the container processes with the run-as-user being 'nobody' we restricting local
filesystem access to the permissions of the 'nobody' user in unsecure mode.

This run-as-user should be configurable for audit purposes as in some setups admins may want
to track with a special user all container processes.


> Changes to LinuxContainerExecutor to use cgroups in unsecure mode
> -----------------------------------------------------------------
>
>                 Key: YARN-1253
>                 URL: https://issues.apache.org/jira/browse/YARN-1253
>             Project: Hadoop YARN
>          Issue Type: New Feature
>          Components: nodemanager
>    Affects Versions: 2.1.0-beta
>            Reporter: Alejandro Abdelnur
>            Assignee: Roman Shaposhnik
>            Priority: Blocker
>
> When using cgroups we require LCE to be configured in the cluster to start containers.

> When LCE starts containers as the user that submitted the job. While this works correctly
in a secure setup, in an un-secure setup this presents a couple issues:
> * LCE requires all Hadoop users submitting jobs to be Unix users in all nodes
> * Because users can impersonate other users, any user would have access to any local
file of other users
> Particularly, the second issue is not desirable as a user could get access to ssh keys
of other users in the nodes or if there are NFS mounts, get to other users data outside of
the cluster.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Mime
View raw message